Communication is key to the successful CSO

Chief security officers (CSOs) need to make communication one of their key skill areas, according to experts at the Black Hat USA 2009 conference in Las Vegas.

Technical skills are essential, but one of the key focuses of the successful CSO must be knowing how to explain the issues of computer security to a variety of audiences.

"Translation is what I have to do half the time: explaining what it means in business terms," said John Stuart, CSO at Cisco.

"Management wants nothing to do with the technology side of attacks at first. Later, when they have 15 minutes, they might want to know the technological details, but for the most part it's business that's important."

Bob Lentz, CSO at the US Department of Defence, said that he "agrees 1,000 per cent".

"There is a very big education that has to go on. It is a big part of our game to move from an IT environment to a business one," he explained.

Lentz said that the Department of Defence security team has a review meeting every morning at 7.30am. The public affairs department is the first to speak, covering any breaking news stories, then the legislative affairs department gives a talk on what Congress is thinking. Only then does the security team get to talk over issues.

Businesses are getting a better idea of what is behind current attacks, but there is still a huge amount of technological ignorance to overcome, according to John Johnson, CSO at John Deere.

"The message has to be tailored to the audience," he said. "They want to know how we are doing. If you don't have the ability to go to your data and give them a meaningful response, they are going to wonder why you have your job."

Knowing when not to communicate something is also important. Stuart said that at Cisco he had refused to sign off on the security of certain product groups. This led to Cisco developing its own internal security groups to examine products, which increased security without hurting his budget.